Principles of Network and System Administration 2nd phần 8 pps

an attacker at host A creates a packet with destination address ‘hostB’ and source address ‘host C’.. To prevent this from happening it is common to take outhost C first by attacking it w

Traditionally backups have been made to tape, since tape is relatively cheapand mobile This is still the case at many sites, particularly larger ones; buttapes usually need to be dealt with manually, by a human or by an expensiverobot This adds a price tag to tape-backup which smaller institutions can finddifficult to manage By way of contrast, the price of disks and networking hasfallen dramatically For an organization with few resources, a cheap solution tothe backup problem is to mirror disks across a network [244], using well-knowntools like rdump, rdist or cfengine This solves the problems of redundancy andlocation; and, for what it costs to employ a human or tape robot, one can purchasequite a lot of disk space.

Another change is the development of fast, reliable media like CD-ROM Inearlier times, it was normal to backup the operating system partitions of hosts totape Today that practice is largely unnecessary: the operating system is readilyavailable on some straightforward medium (e.g CD-ROM or DVD) which is atleast as fast as a tape streamer and consumes a fraction of the space It isonly necessary to make backups of whatever special configuration files have beenmodified locally Sites which use cfengine can simply allow cfengine to reconstructlocal modifications after an OS installation In any event, if we have followed theprinciple of separating the operating system from local modifications, this is noproblem at all

Similar remarks can be made about other software Commercial software isnow sold on CD-ROM and is trivial to reinstall (remember to keep a backup oflicense keys) For freely available software, there are already many copies andmirrors at remote locations by virtue of the Internet For convenience, a localsource repository can also be kept, to speed up recovery in the case of an accident

In the unlikely event of every host being destroyed simultaneously, downloadingthe software again from the network is the least of your worries!

Reconstructing a system from source rather than from backup has never beeneasier than now Moreover, a policy of not backing up software which is easilyaccessible from source, can make a considerable saving in the volume of backupspace required, at the price of more work in the event of accident In the end this

is a matter of policy

It should be clear that user-data must have maximum priority for backup.This is where local creativity manifests itself; these are the data which form yourassets

11.7.2 Loss of service

Loss of service might be less permanent than the loss of data, but it can be just

as debilitating Downtime costs money for businesses and wastes valuable time inacademia

The basic source of all computing power is electricity Loss of electrical power

can be protected against, to a limited extent, with an un-interruptible power supply

(UPS) This is not an infallible security, but it helps to avoid problems due to shortbreaks in the power UPS solutions use a battery backup to keep the power goingfor a few hours when power has failed When the battery begins to run down, theycan signal the host so as to take it down in a controlled fashion, thus minimizing

damage to disks and data Investing in a UPS for an important server could bethe best thing one ever does Electrical spike protectors are another importantaccessory for anyone living in a region where lightning strikes are frequent, orwhere the power supply is of variable quality No fuse will protect a computer from

a surge of electricity: microelectronics burn out much quicker than any fuse.Service can also be interrupted by a breach of the network infrastructure: afailed router or broken cable, or even a blown fuse It can be interrupted by cleaningstaff, or carelessness A backup or stand-by replacement is the only option forhardware failure It helps to have the telephone number of those responsible fornetwork hardware when physical breaches occur

Software can be abused in a denial of service attack Denial of service attacks

are usually initiated by sending information to a host which confuses it intoinactivity There are as many variations on this theme as there are vandals on thenetwork Some attacks exploit bugs, while others are simply spamming episodes,repeatedly sending a deluge of service requests to the host, so that it spends all ofits resources on handling the attack

Principle 61 (Protocols offer predictability) A well-designed protocol, either

for human behavior or machine behavior, standardizes behavior and offers dictability.

pre-11.7.4 Authentication

In order to provide basic security for individuals, we need to keep track ofthe identity of users who make requests of the system Authentication meansdetermining whether the claim of identity is authentic Usually we mean verifyingsomebody’s identity There are two reasons for authenticating users:

• User-based access control of files and programs requires users to be guished by an identity

distin-• Accountability: attaching actions to users for recording in logs

All authentication is based on the idea of comparing unique attributes of viduals with some database Often ownership of a shared secret is used for thispurpose, such as a password or encryption key, known only to the individual andthe authenticator

indi-There is much confusion surrounding authentication Much of this stems fromthe many claims made by cryptographic methods to provide secure methods forauthenticating user identities While this is not incorrect, it misses a crucial point

Principle 62 (Identification requires trust) Establishing identity is

‘impossi-ble’ Identification requires an initial introduction, based on trust.

Corollary to principle (Authentication is re-identification) Authentication is

the confirmation of a previously trusted identity.

The first time we meet a person or contact a host on a network, we knownothing about them When a previously unknown person or host claims theiridentity we must accept this information on trust No matter how many detailedmeasurements we make (DNA test, processor serial number, secure exchange ofkeys etc.), there is no basis for matching those identifying marks to the identityclaimed – since we cannot mind-read, we simply have to trust it Once an initialidentity has been accepted as true, one can then use unique properties to identifythe individual again in the future, in a variety of ways, some more secure thanothers The special markers or unique properties can only confirm that a person orhost is the same person or host as we met previously If the original introductionwas faked, the accuracy of recognition cannot detect this

Password login

The provision of a username claims our identity and a password verifies thatclaim If this authentication succeeds, we are granted access to the system, andall of our activities then occur within the scope of an identifier which representsthat user On Unix-like systems, the username is converted into a global uniqueuser-id number (UID) On Windows systems, the username is converted into asecurity-id (SID) which is only unique on a local host

There are obvious problems with password authentication: passwords can beguessed and they can be leaked Users with only weak passwords are vulnerable

to dictionary and other brute-force attacks

This type of login is called unilateral authentication, that is, it identifies theuser to the computer It does not verify the identity of the computer to the user.Thus a malicious party could fake a login dialogue on a computer, using this tocollect passwords and account information

Unix does not attempt to solve this problem, but NT and its successors provide a

‘secure attention sequence’ If the user types CTRL+ALT+DEL, they are guaranteed

to be directed to the operating system, rather than any user programs which might

be trying to look like the OS

Authentication types

The OSI security architecture (ISO 7498-2) makes a distinction between differentkinds of authentication:

• Entity authentication: checking the identity of an individual or entity.

• Origin authentication: checking the location of an individual or entity.

• Unilateral authentication: verifying the entity to the authenticator.

• Mutual authentication: verifying both parties to one another.

Authentication is usually performed at the start of a session between client andsystem Once one stops checking, an attacker could subsequently sneak in andchange places with an authenticated user Thus to ensure security in an on-goingconversation, we have to verify identity and then use some kind of secret key toensure that the identity cannot be changed, e.g by encrypting the conversation.The key is only known by the authenticated parties, such as a secret that hasbeen exchanged.

Challenge response protocols

Consider two parties A and B, who need to open a dialogue and verify a previouslytrusted identity

A starts the protocol by sending a message to B, M1 B replies with M2, etc We

assume that message N + 1 is not sent until message N has been received and

understood

During or after the exchange of the messages we need to be sure of the following:

• That the messages were received (unaltered) from the hosts which weresupposed to send them

• That the messages are fresh, i.e not replays of old messages

• That message N + 1 is a correct reply to message N, not a misleading reply

to a different question

The first of these assurances can be made by using cryptographic checksums(message digests such as MD5 or SHA-1) or Message Authentication Code (MAC)that verifies both the identity of the sender and the integrity of the message, using

a cryptographic key

The second could be assured by the use of a time-stamp, though this would

be vulnerable to errors of clock synchronization A better approach is to use a

random challenge or nonce (from the medieval English for ‘once only’).

A nonce is usually a long random number that is encrypted with a key that canonly be decrypted by the receiver The receiver then replies to the sender of thenonce by decrypting it and sending it back Only the keeper of the secret could dothis, and thus this confirms the identity of the receiver as well as the freshness

of the reply To achieve a mutual authentication, both parties send challenges toone another

11.7.5 Integrity

Trust is the pernicious problem of security How are we able to trust files and datawhich others send? Programs that we download could contain viruses or Trojanhorses Assuming that we trust the person who wrote the program, how can we

be sure that no one else has tampered with it in between?

There are some things we can do to increase our confidence in data we receivefrom a foreign source One is to compare message digests

Message digests or hashes are cryptographic checksums which quickly marize the contents of a file The idea is to create an algorithm which digeststhe contents of a file and produces a single value which uniquely summarizes itscontents If we change one bit of a file, then the value of the message digest alsochanges Popular algorithms include:

MD5 signatures are often quoted at security software repositories so that it

is possible to verify the authenticity of software (assuming the MD5 signature isauthentic!)

11.8 Some well-known attacks

There are many ways to attack a networked computer in order to gain access to it,

or simply disable it Some well-known examples are listed below The actual attackmechanisms used by attackers are often intricate and ingenious, but the commontheme in all of them is to exploit naive limitations in the way network servicesare implemented Time and again one sees crackers make use of software systemswhich were written in good faith, by forcing them into unnatural situations wherethe software fails through inadequate checking

11.8.1 Ping attacks

The RFC 791 specifies that Internet datagrams shall not exceed 64kB Someimplementations of the protocol can send packets which are larger than this, butnot all implementations can receive them

ping -s 65510 targethost

Some older network interfaces can be made to crash certain operating systems

by sending them a ‘ping’ request like this with a very large packet size Mostmodern operating systems are now immune to this problem (e.g NT 3.51 isvulnerable, but NT 4 is not) If not, it can be combatted with a packet filteringrouter See http://www.sophist.demon.co.uk/ping/

11.8.2 Denial of service (DoS) attacks

Another type of attack is to overload a system with so many service requests that itgrinds to a halt One example is mail spamming,2in which an attacker sends largenumbers of repetitive E-mail messages, filling up the server’s disk and causingthe sendmail daemon to spawn rapidly and slow the system to a standstill.Denial of service attacks are almost impossible to protect against It is theresponsibility of local administrators to prevent their users from initiating suchattacks wherever possible

11.8.3 TCP/IP spoofing

Most network resources are protected on the basis of the host IP addresses ofthose resources Access is granted by a server to a client if the IP address iscontained in an access control list (ACL) Since the operating system kernel itselfdeclares its own identity when packets are sent, it has not been common to verifywhether packets actually do arrive from the hosts which they claim to arrive from.Ordinary users have not traditionally had access to privileges which allow them

to alter network protocols Today everyone can run a PC with privileged access tothe networking hardware

Normally an IP datagram passing from host A to host B has a destinationaddress ‘host B’ and source address ‘host A’ (see figure 11.4) IP spoofing is the act

of forging IP datagrams in such a way that they appear to come from a third partyhost, i.e an attacker at host A creates a packet with destination address ‘hostB’ and source address ‘host C’ The reasons for this are various Sometimes anattacker wants to appear to be host C in order to gain access to a special resourcewhich host C has privileged access to Another reason might be to attack host C,

as part of a more elaborate attack Usually it is not quite this simple however,since the forgery is quickly detected The TCP handshake is such that host A sends

a packet to host B and then replies to the source address with a sequence numberwhich has to match the next number of an agreed sequence If another packet

is not received with an agreed sequence number the connection will be reset andabandoned Indeed, if host C received the confirmation reply for a message which

it never sent, it would send a reset signal back immediately, saying effectively ‘Iknow nothing about this’ To prevent this from happening it is common to take outhost C first by attacking it with some kind of Denial of Service method, or simplychoosing an address which is not used by any host This prevents it from sending

a reset message The advantage of choosing a real host C is that the blame for theattack is placed on host C

IP spoofing can also be used as a denial of service attack By choosing an addressfor host C which is not in use so that it cannot reply with a reset, host A cansend SYN packets (new connections) on the same and other ports repeatedly The

2 From the Monty Python song ‘Spam spam spam spam ’.

host C host A host B

Figure 11.4:IP spoofing A third party host C assumes the role of host A

RECV queue quickly fills up and cannot be emptied since the connections cannot

be completed Because the queues are filled the services are effectively cut off.These attacks could be prevented if routers can be configured so as to disallowpackets with forged source addresses

11.8.5 TCP sequence guessing

This attack allows an attacker to make a TCP connection to a host by guessingthe initial TCP sequence number used by the other end of the connection This

is a form of IP spoofing by a man in the middle The attack was made famous

by the break in to Tsutomo Shinomura’s computers which led to the arrest ofKevin Mitnick This attack is used to impersonate other hosts for trusted access[29, 220] This approach can now be combatted by using random initial sequencenumbers (using the strategy expounded in section 7.7.5), though many operatingsystems require special configuration to enable such measures

11.8.6 IP/UDP fragmentation (Teardrop)

A Teardrop attack was responsible for the now famous twelve-hour attack which

‘blue-screened’ thousands of NT machines all over the world This attack uses theidea of datagram fragmentation Fragmentation is something which happens as adatagram passes through a router from one network to another network where theMinimum Transfer Unit (MTU) is lower Large packets can be split up into smallerpackets for more efficient network performance In a Teardrop attack, the attackerforges two UDP datagrams which appear to be fragments of a larger packet, butwith data offsets which overlap

When fragmentation occurs it is always the end host which reassembles thepackets In order to allocate memory for the data, the kernel calculates thedifference between the end of the datagram and the offset at which the datagramfragment started In a normal situation that would look like that in figure 11.5

In a Teardrop attack the packets are forged so that they overlap, as shown infigure 11.6 The assumption that the next fragment would follow on from the

Figure 11.6:Spoofed UDP fragmentation, generates a negative size.

previous one leads to a negative number for the size of the fragment As the kerneltries to allocate memory for this it calls malloc(size) where the size is now anegative number The kernel panics and the system crashes on implementationswhich did not properly check the bounds

11.8.7 ICMP flooding (Smurf)

ICMP flooding is another denial of service attack The ICMP protocol is the part ofTCP/IP which is used to transmit error messages and control information betweenhosts Well-known services like ping and echo use ICMP Normally all hostsrespond to ping and echo requests without question, since they are useful fordebugging In an ICMP flooding attack, the attacker sends a spoofed ICMP packet

to the broadcast address of a large network The source address of the packet

is forged so that it appears to come from the host which the attacker wishes toattack Every host on the large network receives the ping/echo request and replies

to the same host simultaneously The host is then flooded with requests Therequests consume all the system resources

11.8.8 DNS cache poisoning

This attack is an example of the exploitation of a trusted service in order to gainaccess to a foreign host Again it uses a common theme, that of forging a networkservice request This time, however, the idea is to ask a server to cache someinformation which is incorrect so that future look-ups will result in incorrectinformation being given instead of the correct information [29]

DNS is a hierarchical service which attempts to answer queries about IP namesand addresses locally If a local server does not have the information requested it

asks an authoritative server for that information Having received the informationfrom the authoritative server it caches it locally to avoid having to contact theother server again; after all, since the information was required once, it is likelythat the same information will be required again soon The information is thus

placed in the cache for a period of time called the TTL (Time To Live) After that

time has expired it has to be obtained again from the authoritative server

In a cache poisoning attack, the aim is to insert incorrect information into thecache of a server Once it is there it will be there for the TTL period In order toarrange this an attacker does the following

1 The attacker launches his/her attack from the authoritative nameserverfor his/her network This gives him/her the chance to send information toanother nameserver which will be trusted

2 The attacker sends a query for the IP address of the victim host to the victim’sdefault DNS server in order to obtain a DNS query ID This provides a point

of reference for guessing, i.e forging, the next few query IDs from that server

3 The attacker then sends a query asking for the address of a host whichthe victim machine trusts, i.e the host which the attacker would like toimpersonate

4 The attacker hopes that the victim host will soon need to look up the IPaddress of the host it trusts; he/she sends a fake ‘reply’ to such a DNSlookup request, forged with the query ID to look as though it comes from alookup of the trusted host’s address The answer for the IP address of thetrusted host is altered so that it is the IP address of the attacker’s host

5 Later when the victim host actually sends such a DNS request it finds that ithas already received a UDP reply to that request (this is the nature of UDP)and it ignores the real reply because it arrives later Now the victim’s DNScache has been poisoned

6 The attacker now attempts to connect directly to the victim host, posing asthe trusted host The victim host tries to verify the IP address of the host bylooking up the address in its DNS server This now responds from its cachewith the forged address

7 The attacker’s system is accepted

This kind of attack requires the notion of external login based on trust, e.g withUnix rhosts files This doesn’t help with NT because NT doesn’t have trustedhosts in the same way On the other hand, NT is much easier to gain access tothrough NULL sessions

Exercises

Self-test objectives

1 Describe the nature of possible threats to the security of a human–computersystem

2 What is meant by ‘security is a property of systems’?

3 What are the four main themes in computer security?

4 What role does trust play in setting the ground rules for security?

5 Explain how security relates to risk assessment

6 What are the main threats to human–computer security?

7 Who present the main threats to human–computer security?

8 What is ISO17799?

9 What is RFC 2196?

10 What is meant by social engineering?

11 List some ways of countering social engineering

12 What is meant by a honey pot?

13 What is meant by a sacrificial lamb?

14 What are the pros and cons of system homogeneity in security?

15 Explain how laptops and mobile devices can compromise security

16 What are the problems with the security of the Internet Protocol?

17 State the ways of minimizing the likelihood of a serious security breach

18 How does economy play a role in security?

19 What is the point of strict protocols in human–computer systems?

20 Explain why it is not possible to ever really identify someone – only to identify someone whose identity we have already trusted

re-21 What is mutual authentication?

22 What is a challenge–response system?

23 What is meant by a nonce?

24 What is a cryptographic hash or checksum?

25 What is a message authentication code?

26 What is meant by a Denial of Service (DoS) attack?

27 What is meant by cache poisoning?

organi-3 Determine what password format is used on your own system Are shadowpassword files used? Does your site use NIS (i.e can you see the passworddatabase by typing ypcat passwd)?

4 Assume that passwords may consist of only the 26 letters of the alphabet.How many different passwords can be constructed if the number of characters

in the password is 1, 2, 3, 4, 5, 6, 7 or 8 characters?

5 Suppose a password has four characters, and it takes approximately amillisecond (10−3s) to check a password How long would a brute-forceattack take to determine the password?

6 Discuss how you can really determine the identity of another person Is itenough to see the person? Is a DNA test sufficient? How do you know that

a person’s body has not been taken over by aliens, or they have not beenbrainwashed by a mad scientist? This problem is meant to make you think

carefully about the problem of authentication.

7 Password authentication works by knowing a shared secret What othermethods of authentication are used?

8 The secure shell uses a Virtual Private Network (VPN) or encrypted channelbetween hosts to transfer data Does this offer complete security? What doesencryption not protect against?

9 Explain the significance of redundancy in a secure environment

10 When the current TCP/IP technology was devised, ordinary users did nothave personal computers or access to network listening devices Explain howencryption of TCP/IP links can help to restore the security of the TCP/IPprotocol

11 Explain the purpose of a sacrificial lamb

12 Discuss the point of making a honey pot Would this attract anyone otherthan bears of little brain?

13 Answer true or false to the following (you might have to read ahead to answersome of these):

(a) Current DNS implementations have no strong authentication

(b) DNSSec can use digital signatures to solve the problem of authenticityfor zone transfers between redundant servers.

(c) DNSSec can use symmetric shared secrets to solve the authenticityproblem for zone transfers

(d) Current implementations of DNS have no way of restricting access andare thus completely vulnerable to integrity attacks

(e) Current DNS implementations use unreliable connections

(f) SSL/TLS uses Kerberos to authenticate secure sockets

(g) SSL/TLS use trust management based on a signing authority, like atrusted third party

(h) IPSec was designed for and only works with IPv6, so it will not beavailable for some years

(i) IPSec has solved the problem of contradictory policy rules

(j) IPSec permits packet filtering based on Mandatory Access Control.(k) IPSec’s use of encrypted tunnels allows it to function like a VPN, providedthat end devices themselves support IPSec

(l) Wireless IP security does not support end to end encryption, only tion between wireless device and receiving station

encryp-14 Explain why encryption can be used as a form of authentication

15 What is meant by masquerading or spoofing?

16 Describe the issues to consider in finding a backup scheme for a large and

a small organization Your answer should address tactical, economic andethical issues

Security implementation

In the previous chapter we looked at the meaning of security in the context of acomputer system Now we apply the basic principles and consider what practicalsteps can be taken to provide a basic level of security

12.1 System design and normalization

Security is a property of systems; to address security, we must speak of the system

as a whole:

• Identify what assets we are trying to protect

• Evaluate the main sources of risk and where trust is placed

• Work out possible counter-measures to attacks

Counter-measures can be both preventative and reactive They consist of:

• Rules

• Codified responses

The foundation of security is policy We must agree on what is valuable andacceptable in the system Without such an assessment, we cannot speak of therisk to those assets, and determine what level of risk is acceptable Policy isdecided by social groups

A system consists of an assembly of parts that exhibit three main activities:

parts within a system, and the safe and predictable functioning of the sum ofthose parts.

Protecting ourselves against threat also involves a limited number of themes:

• Applying safeguards (shields)

• Access control (selective shields)

• Protocols (specification of and limitation to safe behavior)

• Feedback regulation (continuous assessment)

• Redundancy (parallelism instead of serialism) detection and correction

• Monitoring the system

• Regulation

We need to apply these to environments which utilize computer systems

Normalization of a system is a concept from the theory of databases.

• Avoid unnecessary dependencies and inconsistencies

• Validate assumptions

12.2 The recovery plan

When devising a security scheme, think of the post-disaster scenario Whendisaster strikes, how will the recovery proceed? How long is this likely to take?How much money or time will be lost as a result?

The network is a jigsaw puzzle in which every piece has its place and playsits part Recall the principle of redundancy: the more dependent we are on oneparticular piece of the puzzle, the more fragile the set up Recovery will occur morequickly if we have backups of all key hardware, software and data

In formulating a recovery plan, then, we need a scheme for replacing keycomponents either temporarily or permanently, and we should also bear in mindthat we do rely on many things which are outside of our immediate control Whathappens, for instance, if a digger (back-hoe) goes through the net cable, our onlylink to the outside world? Whom should we call? Less fundamental but moreinsidious, what if the network managers above us decide to decouple us from thenetwork without informing us in advance? In a large organization, different peoplehave responsibility for different maintenance tasks It has happened on more thanone occasion that the power has been shut down without warning – a potentiallylethal act for a computer

12.3 Data integrity and protection

As part of any infrastructure plan, we need to apply the principles of redundancyand protection to the system’s data Although backup copies will not protect usagainst loss, they do provide minimal insurance against accidents, intentional

damage and natural disasters, and make the business of recovery less painful.

There are several general strategies:

Encryption Prevention of access on theft or tampering

Integrity checksums Detection of error or tampering

Redundancy Recovery from loss

12.3.1 Preventing error, tampering and loss

Data must be protected both when standing still (in storage) and when passingfrom place to place (in transport)

Encryption is a strategy for prevention of theft and tampering, particularly inthe transmission of data over networks, though it can also be used to protect diskdata from theft and backups from tampering Encryption is only effective if theencryption keys are managed properly

Disk information is a separate concern Once a file is deleted in Unix-likeoperating systems, it is not directly recoverable Unlike DOS and its successors,there is no way to undelete a file Some system administrators like to protectinexperienced users by making an alias (in C-shell)

• Disk striping: This is a reorganization of filesystem structure amongst a

group of disks Data are spread across disks, using parallelism to increasedata throughput and improved search rate This can improve performancedramatically, but reduces security by an equal amount, since if one diskfails, all the data are lost from the other disks

1 Nowadays, the RAID advisory board use Independent for the ‘I’.

• Real-time mirroring: When data are written to one disk, they are

simultane-ously written to a second disk, rather than mirroring as a batch job performedonce per day (see next section) This increases security This protects againstrandom disk failure, but not necessarily against natural disasters etc., sinceRAID disks are usually located all in one place

• Hamming code parity protection: Data are split across several disks to utilize

parallelism, and a special parity disk enables data to be reconstructedprovided no more than one disk fails randomly Again, this does not help usagainst loss due to wide-scale influences like natural disasters

New RAID solutions appear frequently and the correspondence between turers’ solutions and RAID levels is not completely standardized RAID providesenhancements for performance and fault tolerance, but it cannot protect usagainst deliberate vandalism or widespread failure

manufac-12.3.2 Backup schemes

We can lose information in many ways: by accident, technical failure, naturaldisaster or even sabotage We must make sure that there are several copies of thedata so that everything may be recovered from a secure backup Backups are one

of the favorite topics of the system administration community Everyone has theirown local tricks Many schemes for backup have been described; most of themresemble one another apart from cosmetic differences Descriptions of backupschemes are manifold Regular incremental style backups with site customizationscan be found in refs [310, 158, 169, 241, 148, 234, 335, 218, 257, 213] A forward-looking backup scheme with a broad generality in its ability to use differentservices and devices for remote backups is described in ref [284] and backup tooptical disks is discussed in refs [65, 320] Automated tape backup and restore isdiscussed in ref [184] and in the Amanda system [283]; the AFS backup system

is discussed in ref [151] A review of how well backup systems deal with specialUnix sparse files was conducted in ref [338]

Backup applies to individual changes, to system setup and to user data alike

In backing up data according to a regular pattern, we are assuming that no majorchanges occur in the structure of data [281] If major changes occur, we need tostart backups afresh The network has completely changed the way we have tothink about backup Transmitting copies of files to secondary locations is nowmuch simpler The basics of backup are these:

• Physical location: A backup should be kept at a different physical location

than the original If data were lost because of fire or natural disaster, thencopies will also be lost if they are stored nearby On the other hand, theyshould not be too far away, or restoration time will suffer

• How often?: How often do the data change significantly, i.e how often do we

need to make a backup? Every day? Do you need to archive several differentversions of files, or just the latest version? The cost of making a backup is arelevant factor here

• Relevant and irrelevant files: There is no longer much point in making a

backup of parts of the operating system distribution itself Today it is usuallyjust as quick to reinstall the operating system from source, using the originalCD-ROM If we have followed the principle of separating local modificationsfrom the system files, then it should be trivial to backup only the files whichcannot be recovered from the CD-ROM, without having to backup everything

• Backup policy: Some sites might have rules for defining what is regarded

as valid information, i.e what it is worth making a backup of Files likeprog.tar.gzmight not need to be kept on backup media since they can berecovered from the network just as easily Also one might not want to makebackups of teen ‘artwork’ which certain users collect from the network, nortemporary data, such as browser cache files

Medium

Traditionally backups have been made from disk to tape (which is relatively cheapand mobile), but tape backup is awkward and difficult to automate unless onecan afford a specialized robot to change and manage the tapes For small sites it

is also possible to perform disk mirroring Disk is cheap, while human operatorsare expensive Many modern filesystems (e.g DFS) are capable of automatic diskmirroring in real-time A cheap approach to mirroring is to use cfengine:

# cfengine.conf on backup host

copy:

/home dest=/backup/home

recurse=infserver=myhostexclude=coreWhen run on the backup host, this makes a backup of all the files under thedirectory /home on the host myhost, apart from core files RAID disks also haveinbuilt redundancy which allows data to be recovered in the event of a singledisk crash Another advantage with a simple mirroring scheme is that users canrecover their files themselves, immediately without having to bother a systemadministrator

Of course, as the size of an institution grows, the economics of backup change Ifone part of an organization has the responsibility for making backups for the entireremainder, then disk mirroring suddenly looks expensive If each department ofthe organization invests in its own mirror disks, then the cost is spread Economicshas a lot to do with appearance as well as reality One criticism of disk mirroring

is that it is not always possible to keep the disk mirrors far enough away fromthe original to be completely safe An additional tape backup as a last resort isprobably a good idea anyway

A backup schedule

How often we need to make backups depends on two competing rates of change:

• The rate at which new data are produced.

• The expected rate of loss or failure

For most sites, a daily backup is sufficient In a war-zone, where risk of bombing

is a threat at any moment, it might be necessary to back up more often Mostorganizations do not produce huge amounts of data every day; there are limits

to human creativity However, other organizations, such as research laboratoriescollect data automatically from instruments which would be impractically expen-sive to re-acquire In that case, the importance of backup would be even greater

Of course, there are limits to how often it is possible to make a backup Backup is

a resource-intensive process

Suggestion 15 (Static data) When new data are acquired and do not change,

they should be backed up to permanent write-once media at once CD-ROM is an excellent medium for storing permanent data.

For a single, un-networked host used only occasionally, the need for backup might

be as little as once per week or less

The options we have for creating backup schemes depend on the tools we haveavailable for the job On Windows we have NTBackup On Unix-like systems there

is a variety of tools which can be used to copy files and filesystems

On both Unix and Windows, it is possible to backup filesystems either fully

or differentially, also called incrementally A full dump is a copy of every file An

incremental backup is a copy of only those files which have changed since thelast backup was taken Incremental backups rely on dump timestamps and aconsistent and reliable system clock to avoid files being missed For instance,the Unix dump utility records the dates of its dumps in a file /etc/dumpdates.Incremental dumps work on a scheme of levels, as we shall see in the examplesbelow

There are many schemes for performing system dumps:

• Mirroring: By far the simplest backup scheme is to mirror data on a daily

basis A tool like cfengine or rsync (Unix) can be used for this, copyingonly the files which have changed since the previous backup Cfengine is

capable of retaining the last two versions of a file, if disk space permits Adisadvantage with this approach is that it places the onus of keeping oldversions of files on the user Old versions will be mercilessly overwritten bynew ones.

• Simple tape backup: Tape backups are made at different levels A level 0

dump is a complete dump of a filesystem A level 1 dump is a dump of onlythose files which have changed since the last level 0 dump; a level 2 dumpbacks up files which have changed since the last level 1 dump and so on,

incrementally There are commonly nine levels of dumps using the Unix dump

commands NTBackup also allows incremental dumps

The point of making incremental backups is that they allow us to capturechanges in rapidly changing files without having to copy an entire filesystemevery time The vast majority of files on a filesystem do not change appreciablyover the space of a few weeks, but the few files which we are working onspecifically do change often By pin-pointing these for special treatment wesave both time and tapes

So how do we choose a backup scheme? There are many approaches, but the

key principle to have in mind is that of redundancy The more copies of a file

we have, the less likely we are to lose the file A dump sequence should alwaysbegin with a level 0 dump, i.e the whole filesystem This initializes the sequence

of incremental dumps Monday evening, Tuesday morning or Saturday are gooddays to make a level 0 dump, since that will capture most large changes to thefilesystem that occur during the week or weekend, in the level 0 dump ratherthan in the subsequent incremental ones Studies show that users downloadlarge amounts of data on Mondays (after the weekend break) and it stands

to reason that after a week of work, large changes will have taken place bySaturday So we can take our pick Here is a simple backup sequence for userhome-directories, then, assuming that the backups are taken at the end ofeach day:

Day Dump level

to a level 1 dump which captures all the changes from the whole week (since theMonday dump) in one go By doing this, we have two backups of the changes, notjust one If we do not expect much to happen over the weekend, we might want todrop the dump on Saturday

A variation on this scheme, which captures several copies of every file over

multiple tapes, is the so-called Towers of Hanoi sequence The idea here is to

switch the order of the dump levels every other day This has the effect ofcapturing not only the files which have changed since the last dump, but alsoall of the files from the previous dump as well Here is a sample for Monday toSaturday:

Towers of Hanoi sequence over 4 weeks

0→ 3 → 2 → 5 → 4 → 6

1→ 3 → 2 → 5 → 4 → 6

1→ 3 → 2 → 5 → 4 → 6

1→ 3 → 2 → 5 → 4 → 6There are several things to notice here First of all, we begin with a level 0 dump

at the beginning of the month This captures primarily all of the static files Next

we begin our first week with a level 3 dump which captures all changes since thelevel 0 dump Then, instead of stepping up, we step down and capture all of thechanges since the level 0 dump again (since 3 is higher than 2) This means that

we get everything from the level 3 dump and all the changes since then too Onday 4 we go for a level 5 dump which captures everything since the last level 3,and so on Each backup captures not only new changes, but all of the previousbackup also This provides double the amount of redundancy as would be gained

by a simple incremental sequence When it comes to Monday again, we begin with

a level 1 backup which grabs the changes from the whole of the previous week.Then once a month, a level 0 backup grabs the whole thing again

The Towers of Hanoi sequence is clever and very secure, in the sense that itprovides a high level of redundancy, but it is also expensive since it requires timeand attention Robotic automation can help here

The level of redundancy which is appropriate for a given site has to be aquestion of economics based on four factors:

1 The cost of the backup (in time and media)

2 The expected rate of loss

3 The rate of data production

4 Media reliability

These factors vary for different kinds of data, so the calculation needs to be thoughtout for each filesystem independently The final point can hardly be emphasizedenough It helps us nothing to make ten copies of a file, if none of those copies arereadable when we need them

Suggestion 16 (Tape backup) Tapes are notoriously unreliable media, and

tape streamers are mechanical nightmares, with complex moving parts which frequently go wrong Verify the integrity of each substantial backup tape backup once you have made it Never trust a tape If the tape streamer gets serviced or repaired, check old tapes again afterwards Head alignment changes can make old tapes unreadable.

Needless to say, backups should be made when the system is virtually cent: at night, usually The most obvious reason for this is that, if files are beingchanged while the backup is progressing, then data can be corrupted or backed

quies-up incorrectly The other reason is one of load: traversing a filesystem is a highlydisk-intensive operation If the disk is being used extensively for other purposes

at the same time, both backup and system will proceed at a snail’s pace

to be at special locations within largely quiescent filesystems, can be copied toanother filesystem which is backed up often This follows automatically from ourprinciple of keeping local changes separate from the OS files

The same thing applies to other files like /etc/fstab or /etc/group andcrontab which have been modified since the operating system was installed.However, here one can reverse the policy for the sake of a rational approach Whilethe password and shadow files have to be at a fixed place, so that they will becorrectly modified when users change their passwords, none of the other files have

to be kept in their operating system recommended locations

Suggestion 17 (OS configuration files) Keep master versions of all

config-uration files like /etc/fstab, /etc/group or crontabs/ in a directory under site-dependent files, and use a tool which synchronizes the contents of the master files with the operating system files (e.g cfengine) This also allows the files to be distributed easily to other hosts which share a common configuration, and pro- vides us with one place to make modifications, rather than having to hunt around the system for long-forgotten modifications Site-dependent files should be on a partition which is backed up Do not use symbolic links for synchronizing master files with the OS: only the root filesystem is mounted when the system boots, and cross-partition links will be invalid You might render the system unbootable.

12.3.3 Recovery from loss

The ability to recover from loss presupposes that we have enough pieces of thesystem from which to reconstruct it, should disaster strike This is where theprinciple of redundancy comes in If we have done an adequate job of backing upthe system, including special information about its hardware configuration, then

we will not lose data, but we can still lose valuable time

Recovery plans can be useful provided they are not merely bureaucraticexercises Usually a checklist is sufficient, provided the system administrationteam are all familiar with the details of the local configuration A commonmistake in a large organization, which is guaranteed to lead to friction, is tomake unwarranted assumptions about a local department Delegation can be avaluable strategy in the fight against time If there are sufficient local systemadministrators who know the details of each part of the network, then it willtake such people less time to make the appropriate decisions and implementthe recovery plan However, delegation also opens us up to the possibility ofinconsistency – we must make sure that those we delegate to are well trained.(Remember to set the write-protect tab on tapes and have someone check thisafterwards.)

When loss occurs, we have to recover files from the backups One of the greatadvantages of a disk mirroring scheme is that users can find backups of theirown files without having to involve an administrator For larger file recoveries,

it is more efficient for a system administrator to deal with the task Restoringfrom tape backup is a much more involved task Unfortunately, it is not merely

a matter of donkey work First of all we have to locate the correct tape (ortapes) which contain the appropriate versions of backed up files This involveshaving a system for storage, reading labels and understanding any incrementalsequence which was used to perform the dump It is a time-consuming business.One of the awkwardnesses of incremental backups is that backing up files caninvolve changing several tapes to gather all of the files Also, imagine what wouldhappen if the tapes were not properly labeled, or if they are overwritten byaccident

Suggestion 18 (URL filesystem names) Use a global URL naming scheme for

all filesystems, so that the filename contains the true location of the file, and you will never lose a file on a tape, even if the label falls off (See section 3.8.7.) Each file will be sufficiently labeled by its time-stamp and its name.

We have two choices in recovery: reconstruction from backup or from source.Recovery from source is not an attractive option for local data It would involvetyping in every document from scratch For software which is imported from exter-nal sources (CD-ROMs or ftp repositories), it is possible to reconstruct softwarerepositories like /usr/local or Windows’ software directories Whether or notthis is a realistic option depends on how much money one has to spend For

a particularly impoverished department, reconstruction from source is a cheapoption

ACLs present an awkward problem for Windows filesystems Whereas Unix’sroot account always has permission to change the ownership and access rights

of a file, Windows’s Administrator account does not On Windows systems, it isimportant not to reinstate files with permissions intact if there is a risk of thembelonging to a foreign domain If we did that, the files would be unreadable toeveryone, with no possibility of changing their permissions

Data directory loss is one thing, but what if the system disk becomes corrupted?Then it might not even be possible to start the system In that case it is necessary

to boot from floppy disk, CD-ROM or network For instance, a PC with GNU/Linux

can be booted from a ‘rescue disk’ or boot disk, in single-user mode (see section4.3.1), just by inserting a disk into the floppy drive This will allow full access tothe system disk by mounting it on a spare directory:

12.3.4 Checksum or hash verification

Every time we use the privileged system account, we are at risk of installing avirus or a Trojan horse, or of editing the contents of important files which definesystem security The list of ingenious ploys for tricking root privileged processesinto working on the behalf of attackers makes an impressive ream The seeminginevitability of it, sooner or later, implores us to verify the integrity of programs anddata by comparing them with a trusted source A popular way to do this is to use

a checksum comparison To all intents and purposes, an MD5 checksum cannot

be forged by any known procedure An MD5 checksum or hash is a numericalvalue that summarizes the contents of a file Any small change in a file changesits cryptographic checksum, with virtually complete certainty A checksum cantherefore be used to determine whether a file has changed First we must compile

a database of checksums for all important files on the system, in a trusted state.Then we check the actual files against this database over time Assuming thatthe database itself is secure, this enables us to detect changes in the files andprograms The Tripwire program was the original program written to perform thisfunction Tripwire can be configured to cross-check several types of checksum,just on the off-chance that someone manages to find a way to forge an MD5checksum Cfengine can also perform this task routinely, while doing other fileoperations Cfengine currently uses only MD5 checksums (see figure 12.1)

12.4 Authentication methods

Authentication methods are techniques for re-identifying users They are based

on matching attributes that uniquely identify individuals Traditionally cation has been based on shared secrets used in conjunction with cryptographic

authenti-2 The SunOS CD player traditionally has to be on controller 0 with SCSI id 6.

actionsequence = ( files )

files:

/usr owner=root, bin mode=o-w checksum=md5 recurse=inf

Figure 12.1: A cfengine program to gather and check MD5 checksums of the /usr filetree

algorithms There are two main approaches to the use of encryption: the use ofsymmetric encryption algorithms and the use of public key algorithms Recently,related techniques such as smart cards (used in mobile phones) and biometrics(fingerprints and iris scans) have been experimented with

12.4.1 Symmetric and asymmetric key methods

A shared secret identifies two parties to one another With a symmetric keyalgorithm both parties must have explicit knowledge of the same secret key; onethen has the problem of agreeing secrets with all of the individuals we want to talk

to If N parties need to communicate privately with a unique key, then one needs

N (N − 1)/2 secrets in total Trust is established between each pair of individuals

during the mutual agreement of the key This is a simple and effective model, butits great overhead is the work required to establish and remember all of the keys.With a public (or asymmetric) key algorithm, each party has two keys: a public

key and a private key; thus there are 2N keys in total The key-pair belonging to

a given party consists of two related keys A message that is encrypted with one

of them can only be decrypted with the other Each user can now keep one keycompletely secret and make the other key known to everyone To send a secretmessage to the owner of the private key, someone only needs to encrypt a messagewith their public key Only the owner of the matching private key can decrypt themessage again (not even the person who encrypted it) This makes the problem ofkey distribution very straightforward However, it has a price: since it obviates theneed for a trusted meeting between the parties to agree on a secret, it makes the

issue of trusting keys much harder If you find a key, supposedly belonging to X

on a particular web-site, you have only the word of the web-site owner that the key

really is the key belonging to X If you send a secret message to X using this key,

it will only be readable by the owner of the private key that matches this key, butthat could be anyone Thus one has no idea, in general, whether or not to trustthe identity associated with a public key This issue is explored further below.Public key algorithms are now widely used in authentication for their greatconvenience and flexibility

12.4.2 Trust models and signing

Having chosen an encryption scheme for authentication, there is still the issue

of what trust model to choose This is particularly important in cases where

authentication is required by non-interactive programs such as client-server anisms, where human intelligence is not available to make a value judgment (seeprinciple 62 in section 11.7.4).

mech-A caveat to public key methods is that they make possible the creation of digital signatures Since the two keys in a key-pair both work in the same way (one merely

makes an arbitrary choice about which is to be public and which is to be private),the owner of a private key can also encrypt messages with his or her private keythat only the owner of the public key can decrypt This does not help with privacynow, because everyone knows the public key However, since only the matchingpublic key can decrypt the message, it is possible for the receiver to verify whichkey was used to encrypt the message, i.e the identity of the sender This is theessence of digital signatures It has the same trust problems as the encryptionmentioned above; however, if one has somehow learned to trust who is the trueoriginator of a public key, then one can also trust the signature

The problem of trusting public keys is solved in one of three ways, all of which

are certified by signing keys:

1 Persona grata: a key can be transferred ‘in person’ from a person that we

already know On accepting the key we sign it with our own digital signature

as a certification of its authenticity

2 Peer review: a key that has been accepted and signed by ‘friends’ whom we

also trust is also acceptable if we see our friends’ signature(s) on the publickey Once we have accepted and trusted the key, we sign it also and pass it

on to others The more signatures on a key from people we trust, the morelikely it is that we can trust the key This is also called the ‘web of trust’ It isthe model used by the encryption software PGP

3 Trusted third party: we can authorize an entity to take responsibility for

validating the identity of parties This trusted entity is called a Trusted ThirdParty (TTP) and it has a signature that we trust implicitly When we see a keythat has been signed by a trusted third party, we take it to be a valid identity.Companies like Verisign sell this service for secure (HTTPS) web sites thatuse the Secure Socket Layer

Principle 63 (Trusted third parties) A trusted third party reduces the number

of trust interactions from order N2 to order N , by acting as a trusted repository for information about the N individuals This is only possible because the TTP is trusted itself.

Corollary to principle (Trusted third parties) A trusted third party is a single

point of failure within an authentication system.

Schemes that are based on trusted third parties have a single point of failureand one is therefore completely dependent upon the security and reliability oftheir services This makes them vulnerable to Denial of Service attacks

Symmetric keys need not be signed, because they are private by definition.Peer review is therefore not applicable as a trust method We are left with twopossibilities: personal hand-off or verification by trusted third parties Kerberosuses such a third party scheme for symmetric keys (see section 12.4.6)

12.4.3 SSH and cfengine

The secure shell, SSH, and cfengine share a similar trust model and authenticationmechanisms Cfengine’s authentication dialogue is essentially a simplification ofthe SSH method, adapted to non-interactive use

Much of the sophistication in SSH concerns the negotiation of an availableencryption method, given the uncertain environment of connecting to potentiallywidely different sites Cfengine has a much simpler task in this regard, since

it is used primarily within a single organization with access to the same set ofcryptographic tools and algorithms

The user end of SSH is normally an interactive shell, in which a user cananswer a direct question about whether or not to accept a new key Cfengine,

on the other hand, normally works non-interactively and must therefore make adecision internally about the acceptance of new keys

Neither of these tools uses a trusted third party approach by default, thoughSSH can use multiple authentication methods It is a Swiss army knife of authen-ticators Cfengine does not allow a trusted third party model, since this kind ofcentralization is contrary to the spirit of a distributed system where one would like

to make each player self-sufficient and independent of any single point of failure.SSH uses a ‘trusted port’, i.e port 22, which – in principle – prevents anuntrusted user from setting up a service that looks like SSH and checks IPorigin, like TCP wrappers.3However, it must accept client keys on trust, since noone is available on the server side to make a decision manually

Cfengine checks IP origin and treats both server and client as untrusted: itrequires a trust window to be opened for the acceptance of a new key, by requiring

an administrator to ‘switch-on’ trust to a given IP address just before a trustedexchange Once the key exchange is completed, the potential for subversion ispassed Both SSH and cfengine are, in principle, vulnerable to client identificationraces; however, secure shell has a backup in that it also demands a interactivebackup authentication (such as password), so this does not necessarily matter

It should be said that the likelihood of being able to exploit such a race isvery small It places the onus on the system administrator to secure the trustedenvironment for the key exchange The payoff is the autonomy of the clients andthe clear isolation of risk

12.4.4 Transport Layer Security

The secure socket layer (SSL) was originally introduced by Netscape cations in order to allow private web transactions based on X.509 certificates.(HTTPS is SSL encoded HTTP) Version 3 of the protocol was extended with experi-ences and suggestions from other companies in the industry and was published as

communi-an Internet draft document stcommuni-andard Trcommuni-ansport layer security (TLS) is essentially

an outgrowth of SSLv3, and it is intended that this will become a network industrystandard

3 In reality, the trusted ports can no longer be trusted since every PC owner is a trusted user on their own system The threshold for trust has been lowered considerably by the proliferation of computing.

SSL and TLS use public key methods to authenticate sites and establish asession key for communications The protocol authenticates both parties andnegotiates a computationally ‘cheaper’ encryption algorithm and message digest

to sign the message

SSL is designed to be a drop-in replacement for standard socket tion, easily implemented, with minimal investment on the part of the programmer.Roughly speaking, one simply replaces some system calls with library functionsfrom SSL and the encryption should be transparent In order to achieve this level

communica-of simplicity, a Trusted Third Party Trust model is used, since this avoids aninteraction

Keys are referred to as certificates and are only accepted on trust if they aresigned by a signing authority (normally Verisign) Any keys that are not signed

by a known authority are presented to users so that they can make a manualdecision

In a system administration context, SSL has both advantages and tages Clearly, one does not want to pay a signing authority a hundred dollars ormore to authenticate each host at a site, but this applies mainly to the Web andcould be circumvented with custom software A larger problem is the centraliza-tion of the model: each new communication requires a verification with the centralauthority, thus there is a single point of failure Administratively speaking, forcedcentralization is either a convenience or a curse depending on how centralizedadministrative practices are

disadvan-12.4.5 Sign and encrypt attacks

The belief that signing and public key encryption give strong security, especially incombination, is only partially true It is still possible to construct attacks againstthe naive use of these encryption methods [88] These attacks apply to a number

of security infrastructures, including S/MIME and IPSec They are easily curablewith administrative care We define first some notation for representing encryptionand signing:

• Public keys: capital letters

• Private keys: small letters

• Encryption with public key A: {”message”}A

• Signing with private key b: (”message”) b

Notice that a small letter denotes both signing and the use of a private key, and

a capital letter denotes both encryption and the use of a public key We nowconsider the two attacks on the sign-encrypt trust model

Sign then encrypt attack

Alice signs and encrypts a message for her heart’s desire, Bob:

A → B : {(”I love you!!”) a}B (12.1)

Alas, Bob does not like Alice and wants to embarrass her He decrypts Alice’smessage, leaving her signed message,

{(”I love you!!”) a}B → (”I love you!!”) a (12.2)and re-encrypts the message for Charlie to read:

B → C : {(”I love you!!”) a}C (12.3)Now, when Charlie decrypts the message, he sees Alice’s signature and believesthat Alice loves him The very security assured by signing will now incriminateAlice This is more serious if the message is ”I.O.U 1,000,000”

Encrypt then sign attack

Inventor Alice encrypts a document describing her secret biotechnology patent,worth millions, for Bob, the patent lawyer She signs the message so that Bobknows it is authentic Unfortunately, her so-called friend Charlie (still angry abouther falsified affections) intercepts the message along the way:

A → C : ({”My patent ”} B ) a (12.4)Charlie laughs, knowing he is now rich He strips off Alice’s signature and signsthe message himself

({”My patent”}B ) a→ {”My patent”}B (12.5){”My patent”}B → ({”My patent”} B ) c (12.6)

He then sends it to Bob, the patent lawyer:

C → B : ({”My patent ”} B ) c (12.7)

It now appears that the idea comes from Charlie

The solution to both of these attacks is to SIGN, ENCRYPT and SIGN againmessages Note that protocols using symmetrical ciphers are not susceptible tothese attacks We see that encryption mechanisms, while useful, are not anassurance of security

12.4.6 Kerberos

Another protocol for establishing identity and exchanging a session key wasdevised in 1978 by R Needham and M Schroeder It uses the idea of a trusted third

party or key-broker and uses symmetric encryption keys to pass messages, and

forms the backbone of the Kerberos system In practice, the Needham–Schroederprotocol simulates the idea of public keys by sending all requests through atrusted third party or mediator

Suppose A wishes to send a private message to B Both A and B have already registered a secret key with a trusted key server S, and they assume that everyone

else in their local domain has done the same In order to talk privately to someone

else, the trick is to establish an encryption key K ab from A to B, given keys

known only to themselves and S, without an attacker being able to understand

the messages Essentially Alice asks Sam to encrypt a message to Bob for her,without giving away Bob’s key

Curly braces indicate a message that is encrypted, using the key in the subscript

In words, this says the following:

1 A says to S: ”I am A, I want to talk to B and I’m giving you a random nonce

N a.”

2 S replies, quoting her nonce to show that the reply is not a replay, confirms that the message is about a key with B, and provides a key for encrypting messages between A and B He also provides a message for Bob, already encrypted with the secret key that B and S share (K bs) This message contains

Alice’s name and the session key (K ab ) for talking to A privately All of this is encrypted with the common key that A and S share (K as)

3 Alice simply sends the message which S encrypted to B This is already encrypted so that B can read it.

4 B decrypts the message and replies using the session key (K ab) with a nonce

of its own to make sure that A’s request is fresh, i.e that this is not a replay.

5 A responds that it has received the nonce.

A and B are now ready to talk, using the secret session key K ab This protocol isthe basis of the Kerberos system, which is used in many Unix and Windows 2000systems

Note that A and B could be two hosts, or two users on the same host By routing

communication through a trusted third party, they avoid having to agree morethan one private key (the trusted party’s key), in advance Otherwise they would

have to verify the N (N − 1)/2 individual keys that are required to communicate privately between N individuals.

12.5 Analyzing network security

In order to assess the potential risks to a site, we must gain some kind of overview

of how the site works We have to place ourselves in the role of an outsider: howwould someone approach the network from outside? Then we have to consider thesystem from the viewpoint of an insider: how do local users approach the system?

To begin the analysis, we form a list:

• What hosts exist on our site?

• What OS types are used?

• What services are running?

• What bug patches are installed?

• Run special tools, nmap, SATAN, SAINT, TITAN to automate the examinationprocedure and find obvious holes

• Examine trust relationships between hosts

This list is hardly a trivial undertaking Simply building the list can be a lesson

to many administrators It is so easy to lose control over a computer network,

so difficult to keep track of changes and the work of others in a team, that onecan easily find oneself surprised by the results of such a survey Having madethe list, it should become clear as to where potential security weaknesses lie.Network services are a common target for exploitation FTP servers and Windows’scommercial WWW servers have had a particularly hard time with bugs which havebeen exploited by attackers

Correct host configuration is one of the prerequisites for network security Even

if we have a firewall shielding us from outside intrusion, an incorrectly configuredhost is a security risk Firewalls do not protect us from the contents of data whichare relayed to a host If a bug can be exploited by sending a hidden message,then it will get through a firewall Some form of automated configuration checkingshould be installed on hosts Manual checking of hosts is impractical even with

a single host; a site which has hundreds requires an automated procedure forintegrity checking On Unix and Windows one has cfengine and Perl for thesetasks

Trust relationships are amongst the hardest issues to debug A trust

rela-tionship is an implicit dependency Any host which relies on a network service,

implicitly trusts that service to be reliable and correct This can be the cause

of many stumbling blocks The complexity of interactions between host servicesmakes many trust relationships opaque Trust relationships occur in any instance

in which there is an external source of information: remote copying, hostnamelookup, directory services etc The most important trust relationship of all is theDomain Name Service (DNS) Many access control systems rely on an accurateidentification of the host name If the DNS service is compromised, hosts can

be persuaded to do almost anything For instance, access controls which assignspecial privileges to a name, can be spoofed if the DNS lookups are corrupted

or intercepted DNS servers are therefore a very important pit-stop in a securityanalysis

Access control is the fundamental requirement for security Without access

controls there can be no security Access controls apply to files on a filesystemand to services provided by remote servers Access should be provided on a need-to-know basis If we are too lax in our treatment of access rights, we can fall foul ofintrusion For example: a common error in the configuration of Unix file-servers is

to grant arbitrary hosts the right to mount filesystems which contain the personalfiles of users If one exports filesystems which contain users’ personal data toUnix-like hosts, it should be done on a host-by-host basis, with strict controls

If a user, who is root on their own host (e.g a portable PC running GNU/Linux),can mount a user filesystem (with files belonging to a non-root user), that personowns the data there The privileged account can read any file on a mounted filesystem by changing its user ID to whatever it likes That means that anyone with

a laptop could read any user’s mail or change any user’s files This is a hugesecurity problem Hosts which are allowed to mount NFS filesystems containingusers’ private data should be secured and should be active at all times to prevent

IP spoofing; otherwise it is trivial to gain access to a user’s files

There are many tools written for Unix-like operating systems which can checkthe security of a site, literally by trying every conceivable security exploit Toolslike SPY [292], COPS, SATAN, SAINT, TITAN [111], Nessus [224] are aimed atUnix-like hosts Port scanners such as nmap will detect services on any hostwith any operating system These tools can be instrumental in finding problems.Recent and frightening statistics from the Computer Emergency Response Teamindicated that only a pitiful number of sites actually upgrade or install patchesand review their security, even after successful network intrusions [160]

Having mapped out an overview of a network site, and used the opportunityboth to learn more about the specifics of the system, as well as fix any obviousflaws, we can turn our attention to more specific issues at the level of hosts

12.5.1 Password security

Perhaps the most important issue for network security, beyond the realm of dents, is the consistent use of strong passwords Unix-like operating systemswhich allow remote logins from the network are particularly vulnerable to pass-word attacks The rhosts and hosts.equiv files which allowed login withoutpassword challenge via rsh and rlogin were acceptable risks in bygone times,but these days one cannot afford to be lax about security The problem withthis mechanism is that rhosts and hosts.equiv use hostnames as effectivepasswords This mechanism trusts DNS name service lookups which can bespoofed in elaborate attacks Moreover, if a cracker gets into one host, he/shewill then be able to log in on every host in these files without a password Thisgreatly broadens the possibilities for effective attack Typing a password is notsuch a hardship for users and there are alternative ways of performing remoteexecution for administrators, without giving up password protection (e.g use ofcfengine)

acci-Password security is the first line of defence against intruders Once a malicioususer has gained access to an account, it is very much easier to exploit otherweaknesses in security Experience, indeed empirical evidence [219], shows thatmany users have little or no idea about the importance of using a good password.Consider some examples from a survey of passwords at a university About 40physicists had the password ‘Einstein’, around 10 had ‘Newton’ and several had

‘Kepler’ Hundreds of users used their login-name as their password, some of themreally went to town and added ‘123’ to the end Many girls chose ‘horse’ as theirpasswords Even after extensive campaigns encouraging good passwords, usershave a shocking tendency to trivialize this matter User education is clearly animportant weapon against weak passwords

Some sites use schemes such as password aging in order to force users tochange passwords regularly This helps to combat password familiarity gainedover time by local peer users, but it has an unfortunate side-effect Users whotend to set poor passwords will not appreciate having to change their pass-words repeatedly and will tend to rebel by setting trivial passwords if they can.Once a user has a good password, it is often advantageous to leave it alone.The problems of password aging are insignificant compared with the problem ofweak passwords Finding the correct balance of changing and leaving alone is achallenge.

Passwords are not visible to ordinary users, but their encrypted form is oftenvisible Even on Windows systems, where a binary file format is used, a freelyavailable program like PwDump can be used to decode the binary format into ASCII.There are many publicly available programs which can guess passwords andcompare them with the encrypted forms, e.g crack, which is available both forUnix and for Windows No one with an easy password is safe Passwords shouldnever be any word in a dictionary or a simple variation of such a word or name Ittakes just a few seconds to guess these

Modern operating systems have shadow password files or databases that are

not readable by normal users For instance, the Unix password file contains an ‘x’instead of a password, and the encrypted password is kept in an unreadable file.This makes it much harder to scan the password file for weak passwords

Tools for password cracking (e.g Alec Muffet’s crack program) can help istrators find weak passwords before crackers do Other tools can be obtainedfrom security sites to prevent users from typing in weak passwords See refs.[300, 72, 4, 153]

admin-12.5.2 Password sniffing

Many communication protocols (telnet, ftp etc.) were introduced before securitywas a concern amongst those on the Internet, so many of these protocols arevery insecure Passwords are often sent over the network as plain text Thismeans that a sophisticated cracker could find out passwords simply by listening

to everything happening on the network and waiting for passwords to go by If acracker has privileged access to at least one machine with a network interface onthe same network he/she can use tcpdump to capture all network traffic Normalusers do not have this privilege for precisely this reason These days however,anyone with a laptop, an Ethernet card and a GNU/Linux installation could dothis Switched networks used to be immune to this problem since traffic is routeddirectly from host to host However, now there exist tools that can poison the ARPcache and cause packets to be rerouted; thus switching is now only a low-levelhindrance to password sniffing In principle, any mildly determined user could

do this

Programs which dump all network traffic include tcpdump, etherfind, snoopand ethereal Here is a sample of the output from Solaris’ snoop program showingthe Ethernet traffic from a segment of cable Snoop recognizes common high-levelprotocols (SMTP/FTP/ARP etc.) and lists them explicitly Unknown protocol types